What makes a password strong: entropy
Password strength is measured in bits of entropy — the amount of unpredictability in the password. Entropy is calculated as log₂(C^L), where C is the size of the character set and L is the length.
A 12-character password using uppercase, lowercase, digits, and 32 common symbols (C = 94) has roughly 78 bits of entropy: log₂(94^12) ≈ 78.8.
| Character set | Example length | Approx. entropy |
|---|---|---|
| Lowercase only (26) | 16 chars | ~75 bits |
| Letters + digits (62) | 13 chars | ~77 bits |
| Full ASCII (94) | 12 chars | ~79 bits |
| Full ASCII (94) | 16 chars | ~105 bits |
The practical threshold for a strong password in 2026 is at least 72–80 bits, which corresponds to roughly 12 characters from a full character set or 16+ characters from letters and digits only.
Random passwords vs. passphrases
A randomly generated password like "k#9Wm!rT2vLp" is high entropy and resistant to brute force, but it is hard to remember and easy to mistype. A passphrase — a sequence of random words such as "correct-horse-battery-staple" — can achieve similar or higher entropy while being far more memorable.
| Format | Example | Entropy |
|---|---|---|
| 4-word passphrase (EFF list) | timber-raven-cloak-exit | ~51 bits |
| 5-word passphrase | timber-raven-cloak-exit-bold | ~65 bits |
| 6-word passphrase | timber-raven-cloak-exit-bold-mist | ~77 bits |
| 12-char random (full set) | k#9Wm!rT2vLp | ~79 bits |
Passphrases are particularly good for master passwords (password managers, full-disk encryption) where you need to type them by hand.
Common mistakes to avoid
These patterns are well-known to attackers and provide far less security than they appear to:
- Letter-number substitutions (p4ssw0rd) — attackers apply these automatically.
- Word + number + symbol (password123!) — one of the most common patterns in leaked databases.
- Capital letter at the start only — adds almost no entropy.
- Personal information — names, birthdays, and pet names are tried early in targeted attacks.
- Reusing passwords — when one site is breached, attackers immediately test those credentials elsewhere (credential stuffing). A unique password for every account is far safer than one very strong password used everywhere.
The case for a password manager
A password manager solves the memorability problem entirely. You only need to remember one strong master password; the manager generates, stores, and auto-fills a unique random password for every site.
Popular options:
- Bitwarden — open-source, free tier, cloud-synced
- 1Password — polished, family and team plans available
- KeePassXC — local storage only, no cloud, fully offline
When generating passwords through a manager, use at least 16 characters with all character classes enabled. Length matters more than complexity above a certain point — a 20-character all-lowercase random string is stronger than a 10-character mixed-case string.